On Thu, 17 Feb 2000, jeff andrews wrote:
> With much of the news surrounding L0pht with hacker, Mudge aka
> Peter Zastko, including the White House security summit, it
> seems to praise their gray hat model.
Don't forget Congress.
>
> L0pht members describe themselves as "gray hats,"
Yes.
> on the edge between
> good and evil hackers.
Now you're putting words into their mouths.
> Besides selling security software, they broke
> into corporate systems and alerted the firms to weaknesses.
They break into corporate systems if the corporation pays them to do so.
They will also pulically publish holes in systems or software, by
researching on their own hardware or copies of software.
>
> http://www.usatoday.com/life/cyber/tech/cth071.htm
>
> More damning is that L0pht has also gone on record as saying that
> "governments and multinational corporations are detrimental to the
> personal liberties on the Internet."
..And they're right. Witness the MPAA, Eschelon, etc..
> On the other hand, L0pht's new
> company, called @Stake, is a specialized professional services company
> that will provide a full range of security solutions for the e-commerce
> operations of global clients.
And the conflict is that they're serving these same companies that are
a detriment? Someone has to hand out clues to these companies.
>
> http://www.zdnet.com/enterprise/stories/security/news/0,7922,2420340,00.html
>
> Back Orifice is a windows trojan developed by the cDc ...The correlation?
> The Deth Vegetable, as well as several other Cult Of The Dead Cow
> Members (including Mudge and DilDog) are also members of L0pht Heavy
> Industries (according to membership lists posted on both cultdeadcow.com
> and l0pht.com).
That's a mostly factual statement. I'd just modify it to say that BO can
be used as a trojan, not that it *is* a trojan. Most programs can be made
into a trojan. It's just that BO makes a really good one, if you're going
to bother tricking someone into putting software on their machine. SMS
is another good choice.
>
>
>http://www.antionline.com/cgi-bin/News?type=antionline&date=05-03-1999&story=l0pht.news
>
> 1. Is there an ethical issue with L0pht members developing Back Orifice
> 2000, the infamous backdoor, and then profit from a solution that
> protects against it?
Possibly. That's the worst you can say about them, though. I don't
think that's too horrible.
>
> 2. With L0pht�s known views on government and corporations, does it make
> sense for them to act as main counsel for the White House?
You'd rather the government didn't listen to any of it's critics?
>
> 3. Is there an issue with gray hat hackers that break into systems that
> are then employed as the protectors of those systems?
I don't know if you're implying that they break in without permission..
lots of folks do WITH permission. My definition of grey hat doesn't
include illegal breakins. I can't speak for the L0pht, but I don't
think theirs does either.
I consider it every security guys' job to break into their own systems. I
sure hope there isn't a conflict there.
>
> 4. Are gray hats preferred for securing a firewall than a good security
> consultant?
Implying that's a disjoint set. You just want a good security consultant
you can trust.
>
> 5. Does elevating these gray hat hackers as role models encourage young
> kids to break the law in an effort to become like L0pht?
The L0pht guys aren't lawbreakers (at least not for several years. My
understanding is that one of them has been arested.) If there is a
general assumption that they are, that might encourage kids. Can you hold
someone accountable for misguided perceptions about them?
>
> 6. Should the press and media be glorifying the gray hat model?
We should worry about the press glorifying DDoS attackers first, and get
to splitting hairs when that problem is solved.
>
> With L0pht, developing exploit tools, raising $10 million from venture
> capitalist for their new start-up company, should Mixter, the developer
> of distributed denial of service (DDOS) exploit tools, go raise money as
> well?
Mixter is a pretty bright guy. If he hooks up some business people,
and starts producing marketable tools and services, there's no reason he
shouldn't raise money.
If you want to claim that you can never trust his code... Well, if he put
out a backdoored product, the rest of us would expose him with no mercy,
same as any other software vendor.
> If they can get Coolio, Mafiaboy, and Mixter together, they might
> want to borrow Lopht�s business plan.
Assuming Coolio, Mafiaboy, and Nachoman are the guilty parties, there is
little reason to employ them. There's every indication they used someone
else's tools to do stupid destructive things. What do they have to offer?
Like most terms that refer to hackers, I suspect people have a
misconception about what "grey hat" is supposed to mean.
MY definition means someone who produces tools and advisories like a white
hat, but doesn't neccessarily buy into the white hat idea of "proper
disclosure" or "responsible reporting". I.e. rather than try to help out
vendors by giving them warning, etc.. they're going to force vendors to
improve through pain.
Ryan
My opinions are my own, not neccessarily those of my employer.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
